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Introduction 

The  main  objectives  of  AFOSR  Grant  no.  F49620-93-1-0250  were  the  following: 

•  To  develop  new  semantics  theories  for  real-time  and  probabilistic  concurrent  systems; 
that  is,  systems  that  exhibit  behavior  of  a  probabilistic  or  statistical  nature  and  which 
must  meet  real-time  constraints. 

•  To  embed  our  new  theories  in  the  Concurrency  Factory,  an  integrated  toolkit  for  the 
specification,  simulation,  automatic  verification,  and  implementation  of  concurrent  sys¬ 
tems. 

•  To  apply  our  semantic  theories  to  real-life  systems,  such  as  communication  protocols, 
embedded  systems,  process  control  systems,  and  digital  control  units. 

•  To  perform  a  technology  transfer  of  our  research  results  to  industry  and  DoD  entities. 

The  research  supported  by  AFOSR  Grant  no.  F49620-93- 1-0250  produced  the  following 

results,  which  represent  the  main  accomplishments  under  the  grant: 

Testing  Preorders  for  Probabilistic  Processes  A  new  semantic  framework  was  devel¬ 
oped  for  reasoning  about  the  relative  reliability  of  concurrent  processes  in  different 
operating  environments. 

Local  Model  Checking  for  Regd-Time  Systems  An  efficient  algorithm  was  invented  for 
checking  whether  a  specification  of  a  real-time  concurrent  system  satisfies  correctness 
properties  specified  in  a  real-time  temporal  logic. 

Probabilistic  Input/Output  Automata  Probabilistic  Input/Output  Automata  is  a  new 
model  of  probabilistic  concurrent  computation  that  facilitates  the  analysis  of  delay  and 
probability  in  distributed  systems. 

New  Semantic  Model  for  Soft  Real-Time  Systems  A  new  semantic  theory  was  devel¬ 
oped  that  permits  the  modeling  of  probabilistic  real-time  systems  and  allows  users  to 
make  rigorous  statements  about  the  likelihood  with  which  systems  are  guaranteed  to 
meet  deadlines. 
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The  Concurrency  Factory  CASE  Environment  The  Concurrency  Factory  is  an  inte¬ 
grated  environment  for  specification,  simulation,  verification,  and  implementation  of 
concurrent  systems.  It  embodies  a  number  of  the  concepts  developed  during  the  grant 
period. 

Below,  these  results  are  described  in  greater  detail. 


Testing  Preorders  for  Probabilistic  Processes 

Communicating  systems  often  exhibit  behavior  that  is  probabilistic  or  statistical  in  nature. 
For  example,  one  may  observe  that  a  faulty  communication  link  drops  a  message  2%  of  the 
time  or  that  a  site  in  a  network  is  down  with  probability  0.052.  It  is  therefore  interesting  to 
consider  probabilistic  processes  as  a  system  specification  method.  In  a  probabilistic  process, 
nondeterministic  choice  points  are  augmented  with  probability  information  in  the  form  of 
distributions  on  outgoing  transitions. 

In  [CSZ92,  YCDS94]  a  testing  preorder  is  presented  that  relates  probabilistic  processes  in 
terms  of  their  relative  reliability  in  different  operating  environments.  In  this  setup,  environ¬ 
ments  are  modeled  by  tests,  which  are  themselves  probabilistic  processes  equipped  with  a  set 
of  success  states.  The  probabilistic  testing  preorder  is  based  on  the  notion  of  the  probability 
by  which  a  process  passes  a  test.  Process  V  is  less  than  process  Q  (denoted  P  C  Q)  in 
the  preorder  when,  for  all  tests  T,  the  probability  that  V  passes  T  is  no  greater  than  the 
probability  that  Q  passes  T. 

We  have  shown  that  the  probabilistic  testing  preorder  enjoys  close  connections  with  the 
classical  testing  theory  of  De  Nicola  and  Hennessy  [DNH83,  Hen88]  for  nondeterministic 
processes.  In  particular,  if  two  probabilistic  processes  are  related  by  the  probabilistic  testing 
preorder,  then  their  “deprobabilized”  images  (obtained  by  erasing  the  probabilities  in  the 
underlying  transition  systems)  are  related  by  the  testing  preorder  of  De  Nicola  and  Hennessy. 
Thus,  the  testing  theory  of  probabilistic  processes  is  a  refinement  of  the  testing  theory  of 
nonprobabilistic  processes. 

While  intuitively  appealing,  the  operational  definition  of  □  can  be  difficult  to  reason 
about.  In  particular,  establishing  that  one  process  is  related  to  another  requires  a  considera¬ 
tion  of  the  behavior  of  both  processes  in  the  context  of  all  possible  tests.  To  circumvent  this 
obstacle,  we  have  also  developed  an  alternative,  more  denotational  characterization  of  Q  to 
ease  the  task  of  establishing  relationships  between  probabilistic  processes.  Moreover,  this 
characterization  is  fully  abstract,  relating  probabilistic  processes  in  exactly  the  same  manner 
as  C. 
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Local  Model  Checking  for  Real-Time  Systems 


Model  checking  is  the  problem  of  determining  whether  a  system  specification  satisfies,  i.e.  is 
a  model  of,  a  correctness  property  specified  as  a  formula  in  some  temporal  logic.  In  the  local 
approach  to  model  checking,  the  whole  state  space  of  the  system  under  investigation  need 
not  be  explored,  but  rather  only  that  portion  necessary  to  determine  the  truth  or  falsehood 
of  the  logical  formula. 

As  reported  in  [SS95],  the  problem  of  extending  local  model  checking  to  real-time  speci¬ 
fications  has  been  investigated.  The  main  result  of  this  investigation  was  a  local  algorithm 
for  model  checking  in  a  real-time  extension  of  the  alternation-free  modal  mu-calculus.  The 
principal  innovations  of  the  algorithm,  called  TMC  (Timed  Model  Checking),  are  the  fol¬ 
lowing: 

•  TMC  is,  to  our  knowledge,  the  first  local  model  checking  algorithm  to  be  proposed  for 
the  verification  of  real-time  systems.  Thus,  like  its  counterparts  for  untimed  systems, 
verification  is  carried  out  in  a  goal-directed  manner  and  only  those  portions  of  the  state 
space  necessary  to  determine  the  truthhood  of  the  formula  are  explored. 

•  The  temporal  logic  used  by  TMC  represents  the  first  true  extension  of  the  modal  mu- 
calculus  to  real-time  systems.  This  logic  supports  all  of  the  original  operators  of  the 
modal  mu-calculus  as  well  as  the  two  new  ”  time  modalities”  of  Holmer  et  al:  necessity 
and  possibility  of  ’’time  successors”.  Moreover,  this  logic  achieves  a  clear  separation 
of  the  time-dependent  aspects  from  the  untimed  ones.  This  resulted  in  the  reuse  of 
a  significant  portion  of  the  code  of  the  Concurrency  Factory’s  local  model  checker  for 
the  modal  mu-calculus  (discussed  below)  when  implementing  the  local  model  checker 
for  the  real-time  logic. 

•  Like  most  algorithms  dealing  with  real-time  systems,  TMC  works  with  a  finite  quotient 
of  the  statespace  as  the  statespace  itself  is  inherently  infinite.  For  maximal  efficiency, 
TMC  obtains  a  quotient  that  is  as  coarse  as  possible  in  the  following  sense:  refinements 
of  the  quotient  are  carried  out  only  when  necesscury  to  satisfy  ”  clock  constraints”  in  the 
logical  formula  or  timed  automaton  used  to  represent  the  system  under  investigation. 
In  this  sense,  our  data  structures  are  optimal  with  respect  to  the  given  formula  and 
automaton. 

TMC  performs  model  checking  by  constructing  a  data  structure  representing  the  ’’product” 
of  the  given  logical  formula  and  the  transition  system  induced  by  the  given  timed  automaton. 
Each  node  of  this  ’’region  product  graph”  (RFC)  represents  the  value  of  a  logical  variable 
for  some  set  of  ’’timed  states”,  or  region.  The  RPG  is  constructed  on-the-fiy  and  explored 
in  a  depth-first  manner,  until  nodes  with  a  known  value  are  found.  After  each  step  of  the 
RPG  construction,  partitioning  (or  splitting)  of  nodes  may  be  necessary  to  achieve  stability 
with  respect  to  the  relevant  clock  constraints.  Initial  experimental  results  have  shown  TMC 
to  be  highly  competitive  efficiency-wise  with  existing  real-time  model  checkers. 
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Probabilistic  Input /Output  Automata 


Probabilistic  I/O  automata[WSS94,  WSS97]  is  a  framework  we  developed  for  reasoning  al¬ 
gebraically  about  asynchronous,  probabilistic  and  real-time  systems.  Probabilistic  I/O  au¬ 
tomata  are  based  on  the  I/O  automaton  model  of  Lynch  and  Tuttle  [LT87].  In  an  I/O 
automaton,  a  distinction  is  made  between  input  actions,  which  come  from  the  environment 
and  are  always  enabled,  and  output  actions,  which  are  locally  controlled  by  the  automaton 
itself.  Accordingly,  in  probabilistic  I/O  automata,  separate  probability  distributions  are  as¬ 
sociated  with  each  input  action  and  a  single  distribution  with  all  locally  controlled  actions. 
As  such,  no  relative  probability  is  specified  between  different  inputs  (or  between  inputs  and 
locally  controlled  actions)  since  these  choices  are  under  the  control  of  the  environment. 

Each  state  of  a  probabilistic  I/O  automaton  is  equipped  with  a  delay  parameter  repre¬ 
senting  the  expected  delay  before  the  automaton  executes  an  action  from  a  given  state.  The 
delay  parameter  plays  a  dual  role:  it  facilitates  the  definition  of  asynchronous  parallel  com¬ 
position  among  probabilistic  I/O  automata,  and  at  the  same  time  introduces  a  convenient 
notion  of  timing  into  the  model.  The  former  is  particularly  important  given  that  virtually 
all  previous  work  in  the  field  has  focused  on  synchronously  composed  probabilistic  systems. 

We  have  also  defined  a  testing  equivalence  for  probabilistic  I/O  automata,  which,  like  our 
work  in  [CSZ92,  YCDS94],  is  based  on  the  natural  notion  of  an  automaton  passing  a  test  with 
a  certain  probability.  Using  probabilistic  behavior  maps,  we  have  obtained  a  fully  abstract 
alternative  characterization  of  the  testing  equivalence,  which  eases  the  task  of  proving  (or 
disproving)  two  probabilistic  I/O  automata  testing  equivalent.  By  “fully  abstract”  we  mean 
that  the  alternative  characterization  identifies  two  automata  if  and  only  if  they  are  testing 
equivalent. 

We  have  used  probabilistic  I/O  automata  to  model  the  Boeing  777  Stabilizer  Position 
Indicator  (SPI)  program.  The  SPI  application  is  discussed  further  below.  Ongoing  work 
involves  the  use  of  probabilistic  I/O  automata  to  compositionally,  and  hence  efl&ciently, 
determine  expected  delays  between  events  in  distributed  systems. 


New  Semantic  Model  for  Soft  Real-Time  Systems 


In  the  literature  on  real-time  systems  (see,  for  example,  [LS96]),  a  distinction  is  often  drawn 
between  hard  and  soft  real-time  systems.  In  a  hard  real-time  system,  all  deadlines  must  be 
met,  as  the  consequences  of  failing  to  meet  a  deadline  can  be  devastating.  Examples  of  such 
systems  include  process  control  systems  for  nuclear  power  plants  and  fly-by-wire  avionics 
systems.  In  a  soft  real-time  system,  the  consequences  of  failing  to  meet  a  deadline  are  not 
nearly  as  grave,  and  thus  a  certain  percentage  of  missed  deadlines  can  be  tolerated.  Examples 
of  soft  real-time  systems  include  financial  data  delivery  systems  and  the  U.S.  Postal  Priority 
Mail  system. 
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During  the  third  year  of  the  grant,  a  new  semantic  theory  of  soft  real-time  systems  was 
developed.  This  theory  permits  the  modeling  of  probabilistic  real-time  systems  and  allows 
users  to  make  rigorous  statements  about  the  likelihood  with  which  systems  are  guaranteed  to 
meet  deadlines.  In  contrast,  most  existing  models  only  support  the  analysis  of  hard  real-time 
systems  in  which  no  deadlines  can  ever  be  missed. 

The  key  components  of  the  framework  are:  (1)  a  specification  language  PDP  (for  Proba¬ 
bilistic  and  Discrete-time  Processes)  that  incorporates  both  probabilistic  and  timing  aspects 
of  process  behavior;  (2)  a  formal  operational  semantics  for  PDP  given  as  a  recursively  defined 
probability  distribution  function  over  process  terms  and  atomic  actions;  and  (3)  a  natural 
notion  of  a  process  passing  a  test  with  a  certain  probability,  where  a  test  is  a  process  with 
the  added  capability  of  reporting  success.  By  encoding  deadlines  as  tests,  the  probability  of 
a  process  passing  a  test  may  now  be  interpreted  as  the  probability  of  the  process  meeting  a 
deadline,  thereby  capturing  the  essence  of  soft  real-time.  A  simple  video  frame  transmission 
example  was  developed  to  illustrate  the  approach. 


The  Concurrency  Factory  and  Industrial  Interactions 


The  Concurrency  Factory  is  an  integrated  toolset  for  specification,  simulation,  verification, 
and  implementation  of  concurrent  systems,  such  as  communication  protocols  and  process 
control  systems.  The  original  source  of  funding  for  the  Factory  is  NSF  grant  CCR-9120995, 
co-principal  investigators  Philip  Lewis  and  Scott  Smolka  (SUNY,  Stony  Brook),  and  Ranee 
Cleaveland  (N.C.  State).  AFOSR  Grant  no.  F49620-93-1-0250  has  provided  key  additional 
support  for  the  project,  especially  with  regard  to  the  Factory’s  capability  to  handle  real-time 
specifications  and  to  produce  executable  code  from  specifications. 

Two  themes  central  to  the  Concurrency  Factory  project  are  the  following:  the  use  of 
process  algebra  [Mil89,  BK84,  Hoa85]  as  the  underlying  formal  model,  and  the  provision  of 
practical  support  for  process  algebra.  By  ’’practical”  we  mean  that  the  Factory  should  be 
usable  by  protocol  engineers  and  software  developers  who  are  not  necessarily  familiar  with 
formal  verification,  and  it  should  be  usable  on  problems  of  real-life  scale,  such  as  those  found 
in  the  avionics  industry. 

The  main  features  of  the  Concurrency  Factory  are  the  following: 

•  A  graphical  user  interface,  VTView/VTSim,  that  allows  the  non-expert  to  design  and 
simulate  concurrent  systems  using  process  algebra.  VTView  is  a  graphical  editor  for  hi¬ 
erarchically  structured  networks  of  finite-state  processes,  and  VTSim  is  a  sophisticated 
environment  for  the  simulation  and  testing  of  VTView-constructed  specifications. 

•  A  textual  user  interface  based  on  the  language  VPL,  a  simple  parallel  programming 
language  that  provides  support  for  a  small  collection  of  data  types,  such  as  fixed  size 
integers  and  integer  arrays.  VPL  makes  it  easier  to  specify  concurrent  programs  in 
which  actual  data  values  are  passed  between  processes.  Yet,  the  underlying  systems 
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are  still  finite-state  which  means  that  VPL  programs,  like  VTView  specifications,  are 
amenable  to  automatic  verification. 

•  A  suite  of  design  and  analysis  algorithms  that  currently  includes  a  local  model  checker 
for  the  alternation-free  modal  mu-calculus  and  its  real-time  extension,  and  a  bisimu¬ 
lation  checker  based  on  the  algorithm  of  Kanellakis  and  Smolka.  Care  has  been  taken 
to  ensure  that  these  algorithms  are  efficient  enough  to  be  used  on  real-life  systems. 

•  A  graphical  compiler  that  transforms  VTView  specifications  into  executable  code.  Our 
current  version  produces  Facile  code,  a  concurrent  language  that  symmetrically  in¬ 
tegrates  many  of  the  features  of  Standard  ML  and  CCS.  Facile  programs  execute 
as  independent  processes  communicating  over  TCP/IP,  and  are  thus  truly  concur¬ 
rent  /distributed.  We  are  also  considering  compilation  into  Ada94.  The  graphical  com¬ 
piler  relieves  the  user  of  the  burden  of  manually  recoding  their  designs  in  the  target 
language  of  their  final  system. 

The  Concurrency  Factory  is  written  in  C-f-f  and  executes  under  X-Windows,  using  Motif 
as  the  graphics  engine,  so  that  it  is  eflScient,  easily  extendible,  and  highly  portable.  It  is 
currently  running  on  SUN  SPARCstations  under  SunOS  and  Solaris. 

With  regard  to  the  theories  and  tools  developed  under  AFOSR  Grant  no.  F49620-93-1- 
0250,  the  Concurrency  Factory  serves  as  our  vehicle  for  technology  transfer.  Specifically, 
we  have  interacted  with  the  following  Long  Island  companies; 

•  We  have  used  the  Concurrency  Factory  to  specify  and  analyze  a  highly  fault-tolerant 
communications  protocol  used  by  Reuters  America  in  their  worldwide  financial  trading 
network. 

•  The  Factory  was  used,  along  with  the  related  probabilistic  I/O  automata  technol¬ 
ogy  [WSS97],  to  specify  the  Stabilizer  Position  Indicator  module  of  the  Boeing  777. 
The  SPI  module  was  designed  and  constructed  by  Parker-Hannifin. 

•  We  have  used  the  Concurrency  Factory  in  our  recent  interactions  with  Northrop  Grum¬ 
man  to  specify  and  verify  a  number  of  key  properties  of  the  E-2C  communications  pro¬ 
tocol  used  on  AWACS  aircraft  for  reliable  communication  between  mission  computers 
and  tactical  workstations. 
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